SANS Digital Forensics and Incident Response Blog: Tag - ASM

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue

"Rob Lee is a master of the subject matter. The material is presented in a way that is understandable. Rob is also charismatic enough to make the course enjoyable."- Erik Ketlet, JP Morgan Chase

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.